Cyber liability and network security coverage is a constantly evolving, and often confusing, form of insurance, but a necessary part of every collector’s commercial insurance policy line-up. With the increased frequency of hacks and network breach related incidences, there is also an increased need for network security awareness. Collection firms and agencies are especially attractive targets due to large amount of stored data containing personally identifiable (PII) and protected health information (PHI). Cyber insurance has already become a standard requirement for many collection contracts and association membership certifications, and requests for proof of cyber liability coverage will only continue to increase with time.
The importance of a basic knowledge of cyber liability insurance cannot be overstated. To help lay the groundwork, we will cover some basic questions: What is cyber liability? What coverages should I identify? What factors influence my quotes?
What is cyber liability and network security?
A cyber liability policy blankets many different categories of coverage but includes two major categories of security: network and privacy security.
Network security generally involves a form of unauthorized network access – often leading to a virus, data theft, extortion, and in some cases an inability to conduct business. Those responsible for exploiting a failure in security may be attempting to hold your system for ransom, take payment information, or other various PII. The results of a network security breach can at the very least be inconvenient for the daily operations, but most likely even more financially detrimental by incurring extreme costs in notification requirements, lawsuits, investigations, credit monitoring, public relations, and security enhancements.
Privacy breach, on the other hand, does not necessarily include a network security failure. A privacy breach may involve the theft of physical records or documentation, a lost employee laptop (or other equipment containing information and network access), or even something as simple as an email sent to the wrong consumer. A former employee’s theft of data is also considered a privacy security breach.
A cyber liability policy encompasses these two major categories of coverage, often supplying specific limits for each type of incident. A triggered claim, regardless of the incident, can involve two types of costs: first-party and third-party expenses. First-party costs include any expenses of the company directly related to the breach including state regulated notification costs, reputation management, legal and network investigation costs, and the loss of income during a breach. Third-party costs cover expenses incurred from outside the company and may include legal defense, settlements, and regulatory fines and penalties.
What coverages should be on my policy?
There are an abundance of coverages included on a cyber policy, and many variations are based on an individual carrier’s guidelines. Being able to prioritize and filter the various policies can be difficult. To help, here is a prioritized list of important coverages with definitions and coverage intent.
Breach notification cost, sometimes referred to as event management, is the limit of insurance designated to consumer notification in the event of a breach. Forty-eight states and some United States territories have enacted legislation requiring private entities to notify consumers of security breaches when their personally identifiable information is at risk. State laws typically define compliance expectations and what is considered a breach. Often, written and mailed notification is required, which can be a large percentage of the costs paid by the carrier. Based on the number of individual’s records stored, notification costs alone can be a major expense.
Cyber extortion is the act of demanding payment by threat of data compromise, system lockdown, or other threats requiring a ransom. Cyber extortion has become more common, and often triggers multiple forms of coverage. Extortion coverage is the specific limit designed to pay demands and ransom.
Business interruption limits cover the loss of income and operations expenses when interrupted or suspended due to a breach of network security. For example, if an extortionist holds your system for ransom and you can’t conduct business or your system is shut down while trying to repair damage from a hack or virus, the business interruption limit would cover the lost income. Business Owners Policies (BOP) do often include a supplemental limit for business interruption costs, but most BOP’s exclude business interruption claims arising from a network security event.
Regulatory/PCI fines coverage:
Specific limits can help cover the costs of dealing with state and federal regulatory agencies which oversee data breach laws and regulations. Costs can include defense, penalties, and fines due to regulatory and PCI compliance violations.
Cyber crime coverage includes limits to indemnify funds lost through email phishing, telephone fraud, fraudulent instructions, or anything dealing with the voluntary transfer of funds due to a scam. Some policies will exclude or sublimit cyber crimes which may help with premium costs. Generally, this coverage is not included on a standard crime/theft policy.
Even though these coverage limits are vital to the integrity and value of the policy, many agents and carriers sublimit the above coverages to help provide a more competitive price. Limits should be evaluated based on the potential costs for risks.
What influences cyber insurance rating?
Cyber insurance, at its most basic, is rated on company revenues, number of stored records, and loss history. There are, however, other factors that can influence the quote options in positive ways including network access and security protocols, monitoring systems, and data storage.
It is important when filling out applications to include as many security and procedural details to help in the underwriting process. As underwriters evaluate the risk, operational details can help them provide a more accurate and informed quote option.
Network security awareness continues to be a need as new cyber insurance requirements are beginning to surface within the collections industry. An understanding of basic policy terms and coverages will aid in the reviewal and selection process of a policy that fits the needs of the consumer.
If you have questions regarding the above information, questions about a current policy, or are interested in obtaining a quote, please contact us. Cyber liability insurance is one of the many forms of coverage we specialize in, and we would be happy to provide support.